Hi there,
Yesterday, after studying the IPFire Security Hardening Guide, I was trying to activate IPFire’s IPS.
So I enabled it in the WUI like that:
But after removing the selection on »Monitor traffic only« and confirmig with Save, it would take a veeery long time applying and finally end up with this:
I guess that's not how it should be, right?
I have to admit, my hardware is not the latest since I use IPFire at home only.
Any ideas?
Regards
Matthias
The hardware I was talking of…
Hi @matthaesius,
Your hardware only has 1GB of memory. The IPS is a memory consuming process and especially at startup. The IPFire recommendation is for a minimum of 1GB but to increase this if addons are used and especially memory intensive processes like IPS, Web Proxy and URL filter.
On your memory page (under menu status) what does the table at the bottom show for how much swap has been used. Does your swap graph show any colour except Green and what does the RAM line say for % at the right hand side.
I also notice that your hardware is 32bit. In June last year it was announced that support for the 32bit architecture will be discontinued. It is marked as Legacy in the download page so still downloadable but end of life is scheduled for end of 2021.
Here some blog links related to 32bit.
https://blog.ipfire.org/post/32-bit-is-dead-long-live-32-bit
https://blog.ipfire.org/post/ipfire-2-25-core-update-146-released
For the records: Your observations are right.
But if I read the pictures right, there may be a problem in the WUI/IPS control code.
It would be nice, if the thread opener could document the issue a bit more and post a topic to bugzilla.
As we know, just small systems show up the problems in code.
Having a very small system, I didn’t ( and can’t) check this yet. Maybe an inspection of the code shows the reason of this issue.
Hello Gentlemen,
thanks a lot for you quick answers.
Well, the memory utilization doesn’t look that bad actually
The peak at Friday night is the time, when I activated it.
This morning, after I posted the thread, I changed the ruleset provider to Snort, afterwards the page looked normal.
Then I changed it back to Emergingthreats Comm. rules, did the same thing as yesterday night and it worked. I’ll try to reproduce the failure later and see, if it happens again.
But now I've got another question again:
On the »IPS Logs« page there is nothing:
Does the 0 at total No. of activated rules mean, that no rule has been broken, or that none is active? Because I did activate some.
Regards
Matthias
Hi Matthias,
I just started using IPS a week or so back, with just Snort Community Rules and I have found the same thing with my Logs, they are completely empty. I intend to change to some other rules and see if it was my choice of ruleset that was not appropriate.
Hi Matthias,
Was reading through this page in the wiki
https://wiki.ipfire.org/configuration/firewall/ips/rule-selection
and there is this section
If no rules have been activated and you want to ensure the IPS is working, enable an IP blocklist
(like the ET dshield.rules) for an hour.
Most internet connected systems should see at least one rule activated in that time.
I will give that a try tomorrow.
So I selected the ET dshield rules this morning and within a few minutes I had 6 entries in the logs. Proves the system is working as it should.
So if I am not getting any hits then either no intrusion is being tried on my system or the rules selected are not appropriate for the threats that are appropriate for my network.
As it says in the wiki, the IPS is not a set and forget system. I will go back and read the IPS wiki more thoroughly.